Background
Cyber Av3ngers is an Iranian hacktivist group linked to the Islamic Revolutionary Guard Corps (IRGC). The group presents itself as an independent hacktivist collective, but U.S. government analysis and sanctions designations by the Treasury Department's OFAC have assessed the group to be an IRGC cyber front organization operating under the direction of the IRGC's Electronic Warfare and Cyber Defense Organization.
The group gained significant international attention in late 2023 when it compromised programmable logic controllers (PLCs) at multiple U.S. water utilities, taking advantage of Unitronics Vision Series PLCs with default passwords and internet-exposed management interfaces. The attacks prompted a joint advisory from CISA, FBI, EPA, and NSA and led to OFAC sanctions against six IRGC officers associated with the group in February 2024.
Unlike most hacktivist groups that conduct DDoS or website defacement, Cyber Av3ngers demonstrates the rare capability to target industrial control systems (ICS) โ a significant escalation that places them in a category typically associated with nation-state actors. The group's IRGC affiliation suggests their hacktivist persona is cover for state-directed operations targeting Israel and its allies, particularly in the context of the Israel-Hamas conflict.
Notable Campaigns
U.S. Water Utility PLC Campaign (November-December 2023): Cyber Av3ngers compromised Unitronics Vision Series PLCs at multiple U.S. water utilities, including the Municipal Water Authority of Aliquippa in Pennsylvania. The attackers exploited default credentials on internet-exposed PLCs and displayed a defacement message stating the devices were made by Israeli company Unitronics. The attack demonstrated the accessibility of ICS targets with poor security hygiene and the group's willingness to target U.S. critical infrastructure.
Irish Water Utilities (2023): The group targeted water treatment facilities in Ireland, disrupting operations at an Irish utility and causing temporary service interruptions. This attack demonstrated the group's global reach and its systematic targeting of water sector industrial control systems.
Israeli Industrial Infrastructure (2023): Throughout the Israel-Hamas conflict, Cyber Av3ngers claimed attacks against Israeli industrial infrastructure, including fuel supply systems, power grid monitoring systems, and industrial automation controllers. While the verified impact of these claims varies, the targeting reflected the group's mission to attack Israeli and Israeli-linked infrastructure globally.
Unitronics Opportunistic Scanning (2023-2024): Following the initial water utility attacks, Cyber Av3ngers and other Iranian-linked actors conducted broad scanning for internet-exposed Unitronics devices globally, exploiting default credentials to gain access to ICS systems across multiple sectors and countries.
Tactics, Techniques & Procedures
Cyber Av3ngers exploits internet-exposed industrial control systems, particularly Unitronics PLCs, through default credential abuse (T1078) and direct exploitation of web-based management interfaces (T1190). The group conducts systematic scanning for exposed OT/ICS devices using search engines like Shodan and FOFA to identify vulnerable targets at scale.
Once access is achieved, the group modifies PLC configurations to display defacement messages (T1491.002), potentially alters operational parameters, and documents access for propaganda purposes. Unlike purely destructive actors, Cyber Av3ngers typically maximizes publicity impact from ICS access โ the defacement and media reporting about critical infrastructure compromise serves the group's psychological operations objectives alongside any operational disruption.
The group coordinates operations with the broader anti-Israel hacktivist ecosystem, sharing targets and techniques with affiliated groups. IRGC direction is assessed to focus the group on targets of strategic interest to Iran.
Tools & Malware
- PLCshell: Malicious firmware or web shell tool used to interact with compromised Unitronics PLCs after gaining access through default credentials.
- Custom ICS Exploitation Tools: Tools developed for identifying and exploiting specific industrial control system vulnerabilities, particularly in Unitronics and other Israeli-manufactured PLCs.
- Unitronics PLC Exploitation Framework: Techniques and tools for accessing and manipulating Unitronics Vision Series HMI/PLC devices through their web interface and remote access protocols.
- Web Defacement Tools: Scripts for replacing operational displays on HMI screens with Cyber Av3ngers messaging.
Indicators & Detection
Critical infrastructure operators โ particularly water utilities, wastewater treatment facilities, and industrial facilities using Unitronics or other internet-connected PLCs โ should immediately audit their OT environments for internet-exposed devices. Remove internet access from all ICS/SCADA systems where operationally feasible; implement VPN or jump server access where remote connectivity is required.
Change default credentials on all OT devices immediately. Unitronics devices should have their default administrative passwords changed and the Remote HMI web interface disabled or access-controlled. Implement multi-factor authentication on any remote access to OT systems.
Monitor for connections to Unitronics PLC management ports (TCP 20256 by default) from unexpected IP addresses. Alert on authentication attempts to OT management interfaces and any changes to PLC programs or operational parameters. For water utilities specifically, CISA's free cyber hygiene assessment services and the WaterISAC provide sector-specific resources for assessing and improving OT security posture.